Deploying ABAC policies using RBAC systems

The flexibility, portability and identity-less access control features of Attribute Based Access Control(ABAC) make it an attractive choice to be employed in many application domains. However, commercially viable methods for implementation of ABAC do not exist while a vast majority of organizations use Role Based Access Control (RBAC) or their temporal extensions, such as Temporal Role Based Access Control (TRBAC). In this paper, we present a solution for organizations having a RBAC/TRBAC that can deploy an ABAC policy. Essentially, we propose a method for the translation of an ABAC policy (including time constraints) into a form that can be adopted by an RBAC/TRBAC system. We experimentally demonstrate that time taken to evaluate an access request in RBAC and TRBAC systems is significantly less than that of the corresponding ABAC system. Since the cost of security management is more expensive under RBAC when compared to ABAC, we present an analysis of the different management costs and present mitigation approaches by considering various administrative operations.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[3]  Xin Jin,et al.  RABAC: Role-Centric Attribute-Based Access Control , 2012, MMM-ACNS.

[4]  Vijayalakshmi Atluri,et al.  Efficient Bottom-Up Mining of Attribute Based Access Control Policies , 2017, 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC).

[5]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[6]  Vijayalakshmi Atluri,et al.  Toward Mining of Temporal Roles , 2013, DBSec.

[7]  David M. Nicol,et al.  A framework integrating attribute-based policies into role-based access control , 2012, SACMAT '12.

[8]  Vijayalakshmi Atluri,et al.  Enforcing Separation of Duty in Attribute Based Access Control Systems , 2015, ICISS.

[9]  Ravi S. Sandhu,et al.  A model for attribute-based user-role assignment , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[10]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[11]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[12]  Vijayalakshmi Atluri,et al.  Migrating from DAC to RBAC , 2015, DBSec.

[13]  Shamik Sural,et al.  Enabling the Deployment of ABAC Policies in RBAC Systems , 2018, DBSec.